Method and Apparatus for Applying Application Context Security Controls for Software Containers

1. A method of sharing a resource between software containers, the method implemented by a host computing device and comprising: detecting a request from a first software application in a first software container to access a resource of a second software application operating in a second software container that is different from the first software container, an operational state of the second software container being controlled by a container engine running on the host computing device; determining whether the first and second software applications are part of a same logical software application; and accepting or rejecting the request based on the determination, said accepting or rejecting comprising accepting the request based on the first and second software applications being part of the same logical software application; wherein the determining is based on one or more of: a runtime parameter included in a request to start the second software container; and an environment variable accessible to the container engine.

2. The method of claim 1 , wherein: detecting the request comprises intercepting the request before the request is delivered to the second software container; accepting the request comprises delivering the request to the second software container; and rejecting the request comprises rejecting the request without delivering the request to the second software container.

3. The method of claim 1 , wherein said accepting or rejecting comprises: determining whether the requested resource is marked as shared for the first software container by an entry in a security registry; and based on the first and second software applications being part of different logical software applications: accepting the request based on the requested resource being marked as shared for the first software container by an entry in the security registry; and rejecting the request based on the requested resource not being marked as shared for the first software container.

4. The method of claim 1 , comprising: controlling an operational state of the first software container by a container engine running on a computing device that is different from the host computing device.

5. The method of claim 1 , comprising: accepting an additional request to access a resource in the second software application based on the additional request being received from the second software container.

6. The method of claim 1 , wherein said accepting or rejecting the request is further based on whether the first software container is digitally signed.

7. The method of claim 1 , comprising: in response to the requested resource being an encrypted file in the second software container and the request being one to open the file, decrypting the encrypted file prior to providing the file to the first software container; and in response to the requested resource being an encrypted file in the second software container and the request being one to write data to the file, receiving the data from the first software container in unencrypted form and encrypting the data prior to saving it in the encrypted file in the second software container.

8. A host computing device comprising: memory configured to store a second software container; and processing circuitry operatively connected to the memory and configured to: detect a request from a first software application in a first software container that is different from the second software container to access a resource of a second software application in the second software container; and make a determination of whether the first software application and second software application are part of a same logical software application; accept or reject the request based on the determination, including accepting the request based on the first and second software applications being part of a same logical software application; wherein the determination is performed based on one or more of: a runtime parameter included in a request to start the second software container; and an environment variable accessible to the container engine.

9. The host computing device of claim 8 , wherein: to detect the request, the processing circuitry is configured to intercept the request before the request is delivered to the second software container; to accept the request, the processing circuitry is configured to deliver the request to the second software container; and to reject the request, the processing circuitry is configured to prevent delivery of the request to the second software container.

10. The host computing device of claim 8 , wherein the processing circuitry is configured to: determine whether the requested resource is marked as shared for the first software container; and based on the first and second software applications being part of different logical software applications: accept the request based on the requested resource being marked as shared for the first software container by an entry in a security registry; and reject the request based on the requested resource not being marked as shared for the first software container.

11. The host computing device of claim 8 , wherein an operational state of the second software container is controlled by a container engine running on the host computing device, and an operational state of the first software container is controlled by a container engine running on a computing device that is different from the host computing device.

12. The host computing device of claim 8 , wherein the processing circuitry is configured to accept an additional request to access a resource of the second software application based on the additional request being received from the second software container.

13. The host computing device of claim 8 , wherein the processing circuitry is configured to accept or reject the request based on whether the first software container is digitally signed.

14. The host computing device of claim 8 , wherein: based on the requested resource being an encrypted file in the second software container and the request being one to open the file, the processing circuitry is configured to decrypt the encrypted file prior to providing the file to the first software container; and based on the requested resource being an encrypted file in the second software container and the request being one to write data to the file, the processing circuitry is configured to receive the data from the first software container in unencrypted form and encrypt the data prior to saving it in the encrypted file in the second software container.

15. A method of sharing a resource between software containers, the method implemented by a host computing device and comprising: detecting a request from a first software application in a first software container to access a resource of a second software application operating in a second software container that is different from the first software container, an operational state of the second software container being controlled by a container engine running on the host computing device; and accepting or rejecting the request based on whether the first and second software applications are part of a same logical software application; wherein the first software application in the first software container is a webserver application; wherein the second software application in the second container is a database application; and wherein the logical software application that the webserver application and database application are part of is a Customer Relationship Management (CRM) system.

16. A host computing device comprising: memory configured to store a second software container; and processing circuitry operatively connected to the memory and configured to: detect a request from a first software application in a first software container that is different from the second software container to access a resource of a second software application in the second software container; and accept or reject the request based on whether the first and second software applications are part of a same logical software application, wherein the first software application in the first software container is a webserver application; wherein the second software application in the second container is a database application; and wherein the logical software application that the webserver application and database application are part of is a Customer Relationship Management (CRM) system.